1. ACLI Reference Guide
  2. ACLI Configuration Elements A-M
  3. ike-access-control

ike-access-control

The ike-access-control configuration element defines the allowlist, blocklist, and DDoS parameters to be used by the ike-interface to which it is applied.

Syntax

name
Establishes the name of this ike-access-control object.
state
Enables or disables this ike-access-control object.
identifiers
Specifies a list of allowlist identifier prefixes (^ used as a wildcard for a single hexadecimal digit, + or - used for adding or removing prefix.
blocklisted-identifiers
Specifies a list of blocklist identifier prefixes (^ used as a wildcard for a single hexadecimal digit, + or - used for adding or removing prefix.
deny-period
Specifies the quarantine period imposed on an endpoint that transitions to the deny state. During the quarantine period, the endpoint is denied all access to the IKEv2 interface.

deny-period and tolerance-window must both be set to non-zero values to enable IKEv2 DDoS protection.

  • Default: 30
  • Values: Min: 0 / Max: 999999999 (seconds)
tolerance-window
Specifies the interval (in seconds) between checks of endpoint-specific traffic counters.
  • Default: 0 (IKEv2 DDoS disabled)
  • Values: Min: 0 / Max: 999999999 (seconds)
pre-ipsec-invalid-threshold
Enables protection against a DDoS attack that consists of malformed, or otherwise invalid, packets during the IKEv2 SA negotiation process by specifying the maximum number of malformed IKEv2 SA packets tolerated from a specific endpoint within the interval set by the tolerance-window parameter. These attacks can attempt to consume system resources in a futile effort to complete negotiation of IKEv2 SAs.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Default: 0 (disabled)
  • Values: Min: 0 / Max: 999999999 (packets)
pre-ipsec-maximum-threshold
Specifies the maximum number of valid IKEv2 SA packets tolerated from a specific endpoint within the interval set by the tolerance-window parameter. These attacks can attempt to prolong the IKEv2 negotiation by persistently renegotiating the IKEv2 SA.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Default: 0 (disabled)
  • Values: Min: 0 / Max: 999999999 (packets)
after-ipsec-invalid-threshold
Enables protection against a DDoS attack that consists of malformed, or otherwise invalid, packets after SA setup by specifying the maximum number of malformed packets tolerated from a specific endpoint within the interval set by the tolerance-window parameter. These attacks can attempt to consume system resources in a futile effort to complete negotiation of IKEv2 SAs.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Default: 0 (disabled)
  • Values: Min: 0 / Max: 999999999 (packets)
after-ipsec-maximum-threshold
Specifies the maximum number of valid IKEv2 packets tolerated after SA setup from a specific endpoint within the interval set by the tolerance-window parameter. These attacks can attempt to prolong the IKEv2 negotiation by persistently renegotiating the IKEv2 SA.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Default: 0 (disabled)
  • Values: Min: 0 / Max: 999999999 (packets)
auth-failure-threshold
Specifies the maximum number of unsuccessful authentication messages tolerated from a specific endpoint within the interval set by the tolerance-window parameter. These attacks attempt to consume system resources by persistently presenting invalid credentials during the endpoint authentication process.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Default: 0 (disabled)
  • Values: Min: 0 / Max: 999999999 (authentication attempts)
auth-critical-failure-threshold
Specifies the maximum number of authentication critical failures tolerated from a specific endpoint within the interval set by the tolerance-window parameter. These attacks attempt to consume system resources by persistently presenting invalid credentials during the endpoint authentication process.

If this threshold value is reached, the endpoint is quarantined for an interval defined by the deny-period parameter.

  • Disable: 0
  • Default: 1
  • Values: Min: 0 / Max: 999999999 (authentication attempts)
auth-failure-report
Specifies how failed authentications are reported. Used in conjunction with the 
auth-failure-threshold
  • no-reporting—(the default), authentication failures are not reported
  • snmp-trap-only—authentication failures are reported by generating an SNMP trap (refer to "SNMP Trap" for information of trap structure)
  • syslog-only—authentication failures are reported by sending a syslog message
  • snmp-trap-and-syslog—authentication failures are reported with both an SNMP trap and a syslog message

Path

ike-access-control is a subelement under the ike element. The full path from the topmost ACLI prompt is: configure terminal, security, ike, ike-access-control.

Note:

This is a multiple instance configuration element.